WO2020046762A1 - Memory access control through permissions specified in page table entries for execution domains - Google Patents

Memory access control through permissions specified in page table entries for execution domains Download PDF

Info

Publication number
WO2020046762A1
WO2020046762A1 PCT/US2019/048020 US2019048020W WO2020046762A1 WO 2020046762 A1 WO2020046762 A1 WO 2020046762A1 US 2019048020 W US2019048020 W US 2019048020W WO 2020046762 A1 WO2020046762 A1 WO 2020046762A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
page table
domain
table entry
virtual
Prior art date
Application number
PCT/US2019/048020
Other languages
French (fr)
Inventor
Steven Wallach
Original Assignee
Micron Technology, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Micron Technology, Inc. filed Critical Micron Technology, Inc.
Priority to EP19854482.7A priority Critical patent/EP3844625A4/en
Priority to CN201980055578.8A priority patent/CN112602070A/en
Priority to KR1020217004839A priority patent/KR20210022141A/en
Publication of WO2020046762A1 publication Critical patent/WO2020046762A1/en

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C16/00Erasable programmable read-only memories
    • G11C16/02Erasable programmable read-only memories electrically programmable
    • G11C16/06Auxiliary circuits, e.g. for writing into memory
    • G11C16/22Safety or protection circuits preventing unauthorised or accidental access to memory cells
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1009Address translation using page tables, e.g. page table structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1027Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/145Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0662Virtualisation aspects
    • G06F3/0664Virtualisation aspects at device level, e.g. emulation of a storage device or system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C11/00Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor
    • G11C11/02Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using magnetic elements
    • G11C11/16Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using magnetic elements using elements in which the storage effect is based on magnetic spin effect
    • G11C11/165Auxiliary circuits
    • G11C11/1673Reading or sensing circuits or methods
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C11/00Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor
    • G11C11/02Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using magnetic elements
    • G11C11/16Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using magnetic elements using elements in which the storage effect is based on magnetic spin effect
    • G11C11/165Auxiliary circuits
    • G11C11/1675Writing or programming circuits or methods
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C11/00Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor
    • G11C11/02Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using magnetic elements
    • G11C11/16Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using magnetic elements using elements in which the storage effect is based on magnetic spin effect
    • G11C11/165Auxiliary circuits
    • G11C11/1695Protection circuits or methods
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C16/00Erasable programmable read-only memories
    • G11C16/02Erasable programmable read-only memories electrically programmable
    • G11C16/06Auxiliary circuits, e.g. for writing into memory
    • G11C16/08Address circuits; Decoders; Word-line control circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/152Virtualized environment, e.g. logically partitioned system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/72Details relating to flash memory management
    • G06F2212/7201Logical to physical mapping or translation of blocks or pages
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C8/00Arrangements for selecting an address in a digital store
    • G11C8/20Address safety or protection circuits, i.e. arrangements for preventing unauthorized or accidental access

Definitions

  • At least some embodiments disclosed herein relate generally to computer architecture and more specifically, but not limited to, memory access control implemented through permissions specified in page table entries for execution domains.
  • Instructions programmed for a computer can be structured in layers.
  • One layer can provide resources and services for another layer.
  • a hypervisor can create or provision virtual machines that are implemented on the hardware components of the computer.
  • An operating system can offer resources and services using resources available in a computer having predefined architecture.
  • the computer resources or computer operated upon by the operating system can be actual computer hardware components, or virtual machine components provisioned by a hypervisor.
  • An application can provide application specific functions using the services and resources provided by an operating system.
  • FIG, 1 shows a system to control memory access according to some embodiments.
  • FIG. 2 shows a permission structure that can be used in the system of FIG. 1.
  • FIG. 3 illustrates a page table entry having a permission set for execution domains.
  • FIG. 4 shows a computer system having a page table to implement memory access permissions.
  • FIG. 5 shows a method to control memory access through permissions specified in page table entries for execution domains.
  • the present disclosure includes the techniques of controlling memory access by different, non-hierarchical, domains of executions based on respective permission sets specified in page table entries.
  • protection rings have been constructed and implemented in computers to protect data and functionality from fault and malicious behaviors based on a hierarchy of rings. Rings are statically arranged in the hierarchy from most privileged (and thus most trusted) to least privileged (and thus least trusted).
  • the hierarchy can include a ring of operating system kernel that is the most privileged, a ring of device drivers, and a ring of applications that are the least privileged.
  • a program or routine in a lower privilege ring can be limited by a respective special hardware enforced control gate to access the resources and services of a higher privilege ring in the hierarchy. Gating access between rings can improve security.
  • instructions or routines programmed for a computer system can be classified into a set of predefined, non- hierarchical, domains, such as a domain of hypervisor, a domain of operating system, a domain of application, etc.
  • the routines can access memory resources via virtual memory addresses that are translated to physical memory addresses via one or more page tables.
  • a physical memory region can be explicitly configured to have different permissions for different domains, without relying upon a static domain hierarchy.
  • FIG. 1 shows a system to control memory access according to some embodiments.
  • the system of FIG. 1 includes physical memory (109) that can be used to store data and instructions for various routines programmed for a computer system.
  • a routine can include a pre-programmed set of instructions stored in the memory (109).
  • the routine can also have input data, output data, and/or, temporary data stored in the memory (109).
  • a routine can invoke or call another routine for services and/or resources.
  • the calling routine and the called routine can be in a same domain or different domains (e.g., 101 , 103, ... , 105).
  • Different regions (121 , 123, 125) in the memory (109) can be configured with different permission sets (e.g., 107); and each permission set (e.g., 107) can include different permissions (e.g., 11 1 , 1 13, ... , 115) for respective domains (101 , 103, ... , 105) that requests access to the memory region (123).
  • the permissions (107) can be specified, for example, in a page table entry used in logical to physical address translation of virtual memory addresses, such that the structure of the memory regions (121 , 123, ... , 125) can correspond to the memory page structure, as further discussed below in connection with FIG. 3.
  • the physical memory (109) is divided into multiple regions (121 , 123, ... , 125).
  • each region e.g., 123 can be a page of physical memory (109) for memory management, or a set of pages of physical memory (109).
  • a typical region Y (e.g., 123) can have a respective set of permissions Y (107) specified for the set of predefined domains (101 , 103, ... , 105).
  • routines of a hypervisor (102) can be classified in a domain A (101); routines of an operating system (104) can be classified in another domain B (103); and routines of applications (106) can be classified in a further domain C (105).
  • a hypervisor or virtual machine monitor (VMM) creates and manages virtual machines.
  • the hypervisor can control basic functions such as physical memory and input/output (I/O).
  • the permissions Y (107) explicitly identify the permissions (1 1 1 , 1 13, ... , 1 15) for the domains (101 , 103, ... , 105) respectively.
  • the privileges of routines to access the region (123) are not dependent on a hierarchy of the domains (102, 103, ... , 105).
  • a routine in the domain (103) can be programmed for an operating system (104) and configured to use the memory region Y (123) for storing instructions and/or data.
  • another routine in the domain (101 ) for a hypervisor (102) accesses the memory region (123) for read, write, or execution of instructions, the permission (1 1 1 ) specified for the domain (101) to access the region (123) is checked.
  • Whether or not to block or reject an access to the memory region (123) for a particular type of operations (e.g., read, write, execution) by an execution in the domain (101 ) can be determined based on a permission bit (e.g., in 1 1 1 ) that is specified for the domain (101 ), for the memory region (123), and for the type of operations.
  • the access control can be independent of a relative hierarchy between the domain (103) and the domain (101 ).
  • different routines of a same domain can be configured to use different regions (e.g., 121 , 123, .., 125) and thus configured to have different permissions for a same domain (e.g , 101 or 105)
  • a routine can be configured to store different portions of its data in different regions (e.g., 121 , 123, ... , 125) and thus configured to have different permissions for a same domain (e.g., 101 , 103, ... , or 105).
  • regions e.g., 121 , 123, ... , 125
  • permissions for a same domain e.g., 101 , 103, ... , or 105.
  • the memory access control system of FIG, 1 does not rely upon a predefined domain hierarchy of trust (i.e., non-hierarchical), it can provide better flexibility and finer control granularity than the conventional protection rings.
  • FIG. 2 shows a permission structure that can be used in the system of FIG. 1
  • a set (1 1 1 , 1 13, ... , or 1 15) of permission bits is specified for each domain (101 , 103, or 105).
  • Each set e.g., 11 1
  • permission bits e.g., 131 , 133, ... , 135 for a set of predefined operations, such as read, write, ... , execution.
  • the read permission (131 ) specified for the domain (101 ) is examined. If the read permission (131 ) is in a first predefined state (e.g., 1 or O), the read operation of the routine is permitted; and if the read permission (131 ) is in a second predefined state (e.g., 0 or 1 ), the read operation of the routine is rejected.
  • a first predefined state e.g., 1 or O
  • a second predefined state e.g., 0 or 1
  • the write permission (133) specified for the domain (101 ) is examined. If the write permission (133) is in a first predefined state (e.g., 1 ), the write operation of the routine is permitted; and if the write permission (133) is in a second predefined state (e.g., 0), the write operation of the routine is rejected.
  • a first predefined state e.g. 1
  • a second predefined state e.g., 0
  • the execution permission (135) specified for the domain (101 ) is examined. If the execution permission (135) is in a first predefined state (e.g., 1 ), the execution is permitted; and if the execution permission (135) is in a second predefined state (e.g., 0), the execution request is rejected.
  • a first predefined state e.g. 1
  • a second predefined state e.g. 0
  • the granularity of the regions (121 , 123, ... , 125) can correspond to the memory pages in a page table for translating virtual memory addresses to physical memory addresses; and the permissions (e.g., 107) can be stored as part of a page table entry of a corresponding region (123), as illustrated in F!G. 3
  • FIG. 3 illustrates a page table entry (153) having a permission set (107) for execution domains (e.g., 101 , 103, ... , 105).
  • a typical virtual address (141 ) in a virtual address space (127) can be translated into a corresponding physical address (159) in a physical address space (129) using a page table (151 ).
  • page table e.g., 151
  • multiple page tables e.g., 151
  • the virtual address (141 ) can include a table ID (143), an entry ID (145), and an offset (147).
  • the table ID (143) can be used to identify a page table (151) that contains a page table entry (153) for a page that contains the memory unit that is identified by the virtual address (141 ) and the physical address (159).
  • the entry ID (145) is used as an index into the page table (151 ) to locate the page table entry (153) efficiently.
  • the page table entry (153) provides a base (157) of the physical address (159). Physical addresses in the same page of memory share the same base (157). Thus, the base (157) identifies the region (123) in the memory (109).
  • the offset (147) of the virtual address (141 ) is used as a corresponding offset (147) in the page or region (123) in the memory (109).
  • the combination of the base (157) and the offset (147) provides the physical address (159) corresponding to the virtual address (141 ).
  • the page table entry (153) specifies not only the base (157) for the page or region (123), but also the permissions (107) for the page or memory region (123), including permissions (1 1 1 , 1 13, ... , 1 15) for the respective domains (101 , 103, ... , 105) illustrated in FIG. 1 ; and for each domain (e.g., 101 ), the page table entry (153) includes a permission bit (131 , 133, ... , or 135) for a respective type of access operations (e.g., read, write, ... , or execution) as illustrated in FIG. 2.
  • a permission bit 131 , 133, ... , or 135 for a respective type of access operations (e.g., read, write, ... , or execution) as illustrated in FIG. 2.
  • the page table entry (153) can specify other attributes (155) of the page of physical memory, such as whether the data in the page is valid, whether the page is in main memory, whether the page is dirty (e.g., the changes in data in the page of physical memory have not yet been flushed to a longer-term
  • the attributes (155) can include a page fault bit indicating whether the page is in the main memory of the computer or in a storage device of the computer. If the permissions (107) allow the current access to the page of memory and the page fault bit indicate that the page is currently not in the main memory of the computer, the memory management unit (181 ) can swap the page from the storage device into the main memory of the computer to facilitate the access to the page identified by the page table entry (153). However, if the permissions (107) deny the current access to the page for the current execution domain, it is not necessary to evaluate the page fault bit and/or to swap in the page corresponding to the page table entry (153).
  • the table ID (143) can be divided into multiple fields used to locate the page table (151 ).
  • the table ID (143) can include a top table ID identifying a top-level page table and a top table entry ID that is used as an index into the top-level page table to retrieve a page table entry containing an identifier of the page table (151), in a way similar to the entry ID (145) indexing into the page iable (151) to identify the page tabie entry (153) containing the base (157).
  • an entry ID (145) can be considered a virtual page number in the page table (151); and the virtual page number (e.g., 145) can be used in the page tabie (151 ) to look up the page table entry (153) containing the base (157).
  • the table ID (143) can include a set of virtual page numbers that can be used to identify a chain of page tables (e.g., 151 ). Each virtual page number is used as an index in a page table (or page directory) to identify the page table entry (or page directory entry) that contains the identity or base of the next level page tabie (or page directory).
  • different running processes in a computer can have different virtual address spaces (e.g., 127); and the process ID of a running process can be used in determine the top-level page table (or page directory).
  • a hash of a portion of the virtual address (141 ), the process ID, and/or an identification of a virtual machine hosted in the computer system can be used to locate the top-level page table (or page directory).
  • a hash is used as an index or key to look up a page table entry.
  • the content of the page table entry (153) can be configured in a way as illustrated in F!G. 3 to provide the permissions (107) for different domains (101 , 103, ... , 105) to access the page/memory region (123) corresponding to the base (157).
  • the permission Y (107) for a page or region Y (123) is specified in the bottom-level page tabie (151 ), where the page tabie entry (153) in the bottom- level page table (151) provides the base (157) of the physical address (159).
  • higher-level page tables can also have domain permission data for their page tabie entries (or page directory entries).
  • a page tabie entry (or page directory entry) identifying the page table (151 ) can have domain permission for all of the pages in the page table (151); and thus, the domain permission data in the page table entry is applicable to the memory region defined by the page tabie (151 ).
  • the hierarchy of permissions specified in the chain of page tabie entries leading to the page tabie (151 ) and the permissions (107) in the bottom-level page table entry (153) can be combined via a logic AND operation or a logic OR operation.
  • a routine running in a domain can be allowed to access a page identified by the base (157) if ail of the permission bits in the chain of page tabie entries leading to the base (157), including the bottom- level table entry (153), have the value that allows access.
  • a routine running in a domain e.g., 101 , 103, 105
  • a routine running in a domain can be denied of access to a page identified by the base (157) if any of the permission bits in the chain of page table entries leading to the base (157), including the bottom- level tabie entry (153), have the value that denies access.
  • a routine running in a domain e.g., 101 , 103, ... , 105 can be denied of access to a page identified by the base (157) only when all of the permission bits in the chain of page table entries leading to the base (157), including the bottom-level table entry (153), have the value that denies access.
  • the domain permission data (e.g., 107) is specified in the bottom-level page table (151 ) but not in the higher-level page tables (directories).
  • FIG. 4 shows a computer system having a page tabie (e.g., 151 ) to implement memory access permissions (e.g., 107) for execution domains (101 , 103, ... , 105).
  • a page tabie e.g., 151
  • memory access permissions e.g., 107
  • the computer system of F!G. 4 has a host system (165) coupled to a memory system (161 ) via one or more buses (163).
  • the memory system (161) has memory components (171 , ... , 173).
  • the buses (163) can include a memory bus connecting to one or more memory modules and/or include a peripheral internet connecting to one or more storage devices.
  • Some of the memory components (171 , ... , 173) can provide random access; and the some of the memory components (171 , ... , 173) can provide persistent storage capability.
  • Some of the memory components (171 , ... , 173) can be volatile in that when the power supply to the memory component is disconnected temporarily, the data stored in the memory component will be corrupted and/or erased.
  • Some of the memory components (171 , ... , 173) can be non-vo!atile in that the memory component is capable of retaining content stored therein for an extended period of time without power.
  • a memory system (161 ) can also be referred to as a memory device.
  • An example of a memory device is a memory module that is connected to a central processing unit (CPU) via a memory bus.
  • Examples of memory modules include a dual in-line memory module (DIMM), a small outline DIMM (SO-DIMM), a non-volatile dual in-line memory module (NVDIMM), etc.
  • Another example of a memory device is a storage device that is connected to the central processing unit (CPU) via a peripheral interconnect (e.g., an input/output bus, a storage area network).
  • Examples of storage devices include a solid-state drive (SSD), a flash drive, a universal serial bus (USB) flash drive, and a hard disk drive (HDD) in some instances, the memory device is a hybrid memory/storage system that provides both memory functions and storage functions.
  • SSD solid-state drive
  • USB universal serial bus
  • HDD hard disk drive
  • the memory components (171 , ... , 173) can include any combination of the different types of non-volatile memory components and/or volatile memory components.
  • An example of non-volatile memory components includes a negative- and (NAND) type flash memory with one or more arrays of memory cells such as single level cells (SLCs) or multi-level cells (MLCs) (e.g., triple level ceils (TLCs) or quad-level cells (QLCs)).
  • a particular memory component can include both an SLC portion and an MLC portion of memory cells.
  • Each of the memory cells can store one or more bits of data (e.g., data blocks) used by the host system (165).
  • a memory component (171 , ... , or 173) can include a type of volatile memory in some instances, a memory component (171 , ... , or 173) can include, but is not limited to, random access memory (RAM), read-only memory (ROM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), phase change memory (PCM), magneto random access memory (MRAM), Spin Transfer Torque (STT)-MRAM, ferroelectric random-access memory (FeTRAM), ferroelectric RAM (FeRAM), conductive bridging RAM (CBRAM), resistive random access memory (RRAM), oxide based RRAM (OxRAM), negative-or (NOR) flash memory, electrically erasable programmable read-only memory (EEPROM), nanowire-based non-volatile memory, memory that incorporates memristor technology, and/or a cross-point array of non-volatile memory cells.
  • RAM random access memory
  • ROM read-only memory
  • DRAM dynamic random access memory
  • SDRAM
  • a cross-point array of non-volatile memory can perform bit storage based on a change of bulk resistance, in conjunction with a stackable cross-gridded data access array. Additionally, in contrast to many flash- based memories, cross-point non-volatile memory can perform a write in-place operation, where a non-volatile memory ceil can be programmed without the non volatile memory ceil being previously erased.
  • a host system (185) can utilize a memory system (161 ) as physical memory (109) that includes one or more memory components (171 , ... , 173).
  • the host system (165) can load instructions from the memory system (161 ) for execution, provide data to be stored at the memory system (161 ), and request data to be retrieved from the memory system (161 ).
  • the host system (165) includes a memory management unit (MMU) (181 ) and a processor (169).
  • the processor (169) has execution units (e.g., 185), such as an arithmetic-logic unit.
  • the processor (189) has registers (183) to hold instructions for execution, data as operands of instructions, and/or results of instruction executions.
  • the processor (169) can have an internal cache (187) as a proxy of a portion of the memory system (161 ).
  • the host system (165) can include multiple processors (e.g., 189) integrated on a same silicon die as multiple processing cores of a central processing unit (GPU).
  • processors e.g., 189
  • GPU central processing unit
  • Routines programmed for executing in the processor (189) can be initially stored in the memory system (161 ).
  • the routines can include instructions for a hypervisor (102), an operating system (104), and an application (106).
  • the routines stored initially in the memory system (161 ) can be loaded to the internal cache (187) and/or the registers (183) for execution in the execution units (185).
  • the running instances of the routines form the executions (167) of the hypervisor (102), the operating system (104), and the application (106).
  • a hypervisor (102) is not used; and the operating system (104) controls the hardware components (e.g., the memory system (161 ), peripheral input/output devices, and/or network interface cards) without a hypervisor.
  • the executions (167) of the hypervisor (102), the operating system (104), and/or the application (106) access memory (123) (e.g., in memory components (171 , ... , 173)) using virtual memory addresses (e.g., 141 ) defined in one or more virtual memory spaces (e.g., 127).
  • At least one page table (151) e.g., as illustrated in the FUG. 3) is used to translate the virtual memory addresses (e.g., 141 ) used in the execution to the physical memory addresses (e.g., 159) of the memory components (e.g., 171 , ... , 173).
  • the executions of the routines of hypervisor (102), the operating system (104), and the application (106) can be organized into a plurality of domains (101 , 103, ... , 105).
  • the page table entry (153) identifies a set (e.g. , 1 1 1 , 1 13, ... , 115) of permission bits (e.g., 131 , 133, ... , 135) for accessing the region (123) in predefined types of operations such as read, write, execution, etc.
  • the permission bits (e.g., 131 , 133, ... , 135) of the corresponding permission set (e.g., 1 1 1 ) controls the memory accesses of the corresponding types from a respective execution domain (e.g., 101).
  • FIG. 5 shows a method to control memory access through permissions (107) specified in page table entries (e.g., 153) for execution domains (101 , 103, .... 105).
  • the method of FIG. 5 can be performed in a computer system of FIG. 4, using a page table (151 ) of FIG. 3, to provide permission bits (131 , 133, ... , 135) of F!G, 2 for predefined types of memory access operations in a region (123) for respective execution domains (101 , 103, ... , 105) illustrated in FIG. 1.
  • a computer system receives a request to access a virtual memory address (141) during an execution of a set of instructions.
  • the set of instructions can be a routine of a hypervisor (102), an operating system (104), or an application (106).
  • the execution of the routine can be classified as in one of the set of predetermined domains (101 , 103,
  • the memory management unit (MMU) (181) determines a page table entry (153) in translating the virtual memory address (141) to a physical memory address (159), as illustrated in FIG. 3.
  • the memory management unit (MMU) (181) (or the processor (169) of the computer system) identifies, among a plurality of predefined domains (101 , 103, ... , 105), an execution domain (e.g., 101 ) that contains the execution of the set of instructions.
  • memory addresses for loading the instructions of a routine can include an object identifier that determines the domain (e.g., 101 , 103, ... , 105) when the routine is loaded for execution in the processor (169)
  • the object identifier is part of the virtual address space and does not specify a domain.
  • the page table entry (153) includes information identifying the domain of routines stored in the memory region (123) identified by the page table entry (153).
  • a register (183) of the processor can store the identifier of the domain of a routine while the routine is being executed in the processor (169).
  • the memory management unit (MMU) (181) (or the processor (169) of the computer system) retrieves, from the page table entry (153), permissions (107) specified for the execution domain (e.g., 101 , 103, ... , or 105).
  • the permissions (107) can be stored at a predetermined location in the page table entry (153).
  • the memory management unit (MMU) (181) (or the processor (169) of the computer system) controls access to the physical memory address (129) based on the permissions (107) specified in the page table entry (153) for the execution domain of the instructions.
  • the permissions sets (1 1 1 , 1 13, .... 115) for respective domains (101 , 103, ... , 105) can be stored at predetermined locations within the page table entry (153); and the permissions (131 , 133, ... , or 135) for respective types of memory access operations (e.g , read, write, ... , or execution) for each domain (e.g., 101 , 103, ... , or 105) is stored at predetermined locations within the permission set (e.g., 1 1 1 , 1 13, ... , or 1 15) for a respective execution domain (101 , 103, ... , 105).
  • the permissions sets (1 1 1 1 , 1 13, .... 115) for respective domains (101 , 103, ... , 105) can be stored at predetermined locations within the page table entry (153); and the permissions (131 , 133, ... , or 135) for respective types of memory access operations (e.g , read, write, ... , or
  • the memory management unit (MMU) (181 ) (or the processor (169) of the computer system) can extract a permission bit (e.g., 131 , 133, ... , 135) and determine whether the memory access operation is permitted according to the extracted permission bit.
  • a permission bit e.g., 131 , 133, ... , 135.
  • a processor e.g., 101
  • the processor can be a unit integrated within memory to overcome the von Neumann bottleneck that limits computing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Mathematical Physics (AREA)
  • Human Computer Interaction (AREA)
  • Storage Device Security (AREA)
  • Memory System Of A Hierarchy Structure (AREA)

Abstract

Systems, apparatuses, and methods related to a computer system having a page table entry containing permission bits for predefined types of memory accesses made by executions of routines in predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a routine accessing the virtual memory address, a permission bit corresponding to the execution domain of the routine and a type of the memory access can be extracted from the page table entry to determine whether the memory access is to be rejected.

Description

MEMORY ACCESS CONTROL THROUGH PERMISSIONS SPECIFIED IN PAGE
TABLE ENTRIES FOR EXECUTION DOMAINS
RELATED APPLICATION
[0001] The present application claims the benefit of the filing dates of U.S. Pat App. Ser. No. 16/520,292, filed July 23, 2019 and entitled "Memory Access Control through Permissions Specified in Page Table Entries for Execution Domains," and Prov. U.S. Pat. App. Ser. No. 62/724,896, filed Aug. 30, 2018 and entitled "Memory Access Control through Permissions Specified in Page Table Entries for Execution Domains," the entire disclosure of which application is hereby incorporated herein by reference.
FIELD OF THE TECHNOLOGY
[0002] At least some embodiments disclosed herein relate generally to computer architecture and more specifically, but not limited to, memory access control implemented through permissions specified in page table entries for execution domains.
BACKGROUND
[0003] Instructions programmed for a computer can be structured in layers. One layer can provide resources and services for another layer. For example, a hypervisor can create or provision virtual machines that are implemented on the hardware components of the computer. An operating system can offer resources and services using resources available in a computer having predefined architecture. The computer resources or computer operated upon by the operating system can be actual computer hardware components, or virtual machine components provisioned by a hypervisor. An application can provide application specific functions using the services and resources provided by an operating system.
BRIEF DESCRIPTION OF THE DRAWINGS [0004] The embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings in which like references indicate similar elements.
[0005] FIG, 1 shows a system to control memory access according to some embodiments.
[0006] FIG. 2 shows a permission structure that can be used in the system of FIG. 1.
[0007] FIG. 3 illustrates a page table entry having a permission set for execution domains.
[0008] FIG. 4 shows a computer system having a page table to implement memory access permissions.
[0009] FIG. 5 shows a method to control memory access through permissions specified in page table entries for execution domains.
DETAILED DESCRIPTION
[0010] The present disclosure includes the techniques of controlling memory access by different, non-hierarchical, domains of executions based on respective permission sets specified in page table entries.
[0011] In a traditional system, different layers of instructions (e.g., user applications vs. operating system) may be given different levels of privilege and/or trust. Conventionally, protection rings have been constructed and implemented in computers to protect data and functionality from fault and malicious behaviors based on a hierarchy of rings. Rings are statically arranged in the hierarchy from most privileged (and thus most trusted) to least privileged (and thus least trusted). For example, the hierarchy can include a ring of operating system kernel that is the most privileged, a ring of device drivers, and a ring of applications that are the least privileged. A program or routine in a lower privilege ring can be limited by a respective special hardware enforced control gate to access the resources and services of a higher privilege ring in the hierarchy. Gating access between rings can improve security.
[0012] In the techniques of the present disclosure, instructions or routines programmed for a computer system can be classified into a set of predefined, non- hierarchical, domains, such as a domain of hypervisor, a domain of operating system, a domain of application, etc. The routines can access memory resources via virtual memory addresses that are translated to physical memory addresses via one or more page tables. A physical memory region can be explicitly configured to have different permissions for different domains, without relying upon a static domain hierarchy.
[0013] FIG. 1 shows a system to control memory access according to some embodiments.
[0014] The system of FIG. 1 includes physical memory (109) that can be used to store data and instructions for various routines programmed for a computer system.
[0015] In general, a routine can include a pre-programmed set of instructions stored in the memory (109). The routine can also have input data, output data, and/or, temporary data stored in the memory (109). A routine can invoke or call another routine for services and/or resources. The calling routine and the called routine can be in a same domain or different domains (e.g., 101 , 103, ... , 105).
Different regions (121 , 123, 125) in the memory (109) can be configured with different permission sets (e.g., 107); and each permission set (e.g., 107) can include different permissions (e.g., 11 1 , 1 13, ... , 115) for respective domains (101 , 103, ... , 105) that requests access to the memory region (123). The permissions (107) can be specified, for example, in a page table entry used in logical to physical address translation of virtual memory addresses, such that the structure of the memory regions (121 , 123, ... , 125) can correspond to the memory page structure, as further discussed below in connection with FIG. 3.
[0016] In FIG. 1 , the physical memory (109) is divided into multiple regions (121 , 123, ... , 125). For example, each region (e.g., 123) can be a page of physical memory (109) for memory management, or a set of pages of physical memory (109).
[0617] A typical region Y (e.g., 123) can have a respective set of permissions Y (107) specified for the set of predefined domains (101 , 103, ... , 105). For example, routines of a hypervisor (102) can be classified in a domain A (101); routines of an operating system (104) can be classified in another domain B (103); and routines of applications (106) can be classified in a further domain C (105). A hypervisor or virtual machine monitor (VMM) creates and manages virtual machines. The hypervisor can control basic functions such as physical memory and input/output (I/O). The permissions Y (107) explicitly identify the permissions (1 1 1 , 1 13, ... , 1 15) for the domains (101 , 103, ... , 105) respectively. Thus, the privileges of routines to access the region (123) are not dependent on a hierarchy of the domains (102, 103, ... , 105).
[0018] For example, a routine in the domain (103) can be programmed for an operating system (104) and configured to use the memory region Y (123) for storing instructions and/or data. When another routine in the domain (101 ) for a hypervisor (102) accesses the memory region (123) for read, write, or execution of instructions, the permission (1 1 1 ) specified for the domain (101) to access the region (123) is checked. Whether or not to block or reject an access to the memory region (123) for a particular type of operations (e.g., read, write, execution) by an execution in the domain (101 ) can be determined based on a permission bit (e.g., in 1 1 1 ) that is specified for the domain (101 ), for the memory region (123), and for the type of operations. Thus, the access control can be independent of a relative hierarchy between the domain (103) and the domain (101 ).
[0019] Similarly, consider a routine in the domain (103) that is programmed for an operating system (104) and configured to use the memory region Y (123) for storing instructions and/or data. When another routine in the domain (105) for an application (106) accesses the memory region (123) for a type of operations (e.g., read, write, or execution), the permission (1 15) specified for the domain (105) to access the region (123) is checked. Whether or not to block or reject the accesses of an application (106), executed in the domain (103), to the memory region (123) can be determined based on the permission (1 15) specified for the domain (105) and for the memory region (123). Thus, the access control can be independent of a relative hierarchy between the domains (e.g , 103 and 105).
[0020] In general, different routines of a same domain (e.g., 103) can be configured to use different regions (e.g., 121 , 123, .., 125) and thus configured to have different permissions for a same domain (e.g , 101 or 105)
[0021] Further, a routine can be configured to store different portions of its data in different regions (e.g., 121 , 123, ... , 125) and thus configured to have different permissions for a same domain (e.g., 101 , 103, ... , or 105).
[0022] Since the memory access control system of FIG, 1 does not rely upon a predefined domain hierarchy of trust (i.e., non-hierarchical), it can provide better flexibility and finer control granularity than the conventional protection rings.
[0023] FIG. 2 shows a permission structure that can be used in the system of FIG. 1
[0024] In FIG. 2, a set (1 1 1 , 1 13, ... , or 1 15) of permission bits is specified for each domain (101 , 103, or 105). Each set (e.g., 11 1 ) specifies permission bits (e.g., 131 , 133, ... , 135) for a set of predefined operations, such as read, write, ... , execution.
[0025] For example, when a routine in the domain (101 ) accesses the memory region (123) to read data from the region (123), the read permission (131 ) specified for the domain (101 ) is examined. If the read permission (131 ) is in a first predefined state (e.g., 1 or O), the read operation of the routine is permitted; and if the read permission (131 ) is in a second predefined state (e.g., 0 or 1 ), the read operation of the routine is rejected.
[0026] For example, when a routine in the domain (101 ) accesses the memory region (123) to write data into the region (123), the write permission (133) specified for the domain (101 ) is examined. If the write permission (133) is in a first predefined state (e.g., 1 ), the write operation of the routine is permitted; and if the write permission (133) is in a second predefined state (e.g., 0), the write operation of the routine is rejected.
[0027] For example, when a routine in the domain (101 ) accesses the memory region (123) to load an instruction from the region (123) for execution, the execution permission (135) specified for the domain (101 ) is examined. If the execution permission (135) is in a first predefined state (e.g., 1 ), the execution is permitted; and if the execution permission (135) is in a second predefined state (e.g., 0), the execution request is rejected.
[0028] The granularity of the regions (121 , 123, ... , 125) can correspond to the memory pages in a page table for translating virtual memory addresses to physical memory addresses; and the permissions (e.g., 107) can be stored as part of a page table entry of a corresponding region (123), as illustrated in F!G. 3
[0029] FIG. 3 illustrates a page table entry (153) having a permission set (107) for execution domains (e.g., 101 , 103, ... , 105).
[0030] A typical virtual address (141 ) in a virtual address space (127) can be translated into a corresponding physical address (159) in a physical address space (129) using a page table (151 ). in general, multiple page tables (e.g., 151 ) can be used to map the virtual address space (127) to the physical address space (129).
[0031] The virtual address (141 ) can include a table ID (143), an entry ID (145), and an offset (147). The table ID (143) can be used to identify a page table (151) that contains a page table entry (153) for a page that contains the memory unit that is identified by the virtual address (141 ) and the physical address (159). The entry ID (145) is used as an index into the page table (151 ) to locate the page table entry (153) efficiently. The page table entry (153) provides a base (157) of the physical address (159). Physical addresses in the same page of memory share the same base (157). Thus, the base (157) identifies the region (123) in the memory (109).
The offset (147) of the virtual address (141 ) is used as a corresponding offset (147) in the page or region (123) in the memory (109). The combination of the base (157) and the offset (147) provides the physical address (159) corresponding to the virtual address (141 ).
[0032] In FIG. 3, the page table entry (153) specifies not only the base (157) for the page or region (123), but also the permissions (107) for the page or memory region (123), including permissions (1 1 1 , 1 13, ... , 1 15) for the respective domains (101 , 103, ... , 105) illustrated in FIG. 1 ; and for each domain (e.g., 101 ), the page table entry (153) includes a permission bit (131 , 133, ... , or 135) for a respective type of access operations (e.g., read, write, ... , or execution) as illustrated in FIG. 2.
[0033] Optionally, the page table entry (153) can specify other attributes (155) of the page of physical memory, such as whether the data in the page is valid, whether the page is in main memory, whether the page is dirty (e.g., the changes in data in the page of physical memory have not yet been flushed to a longer-term
memory/storage device relative to the memory region (123)). For example, the attributes (155) can include a page fault bit indicating whether the page is in the main memory of the computer or in a storage device of the computer. If the permissions (107) allow the current access to the page of memory and the page fault bit indicate that the page is currently not in the main memory of the computer, the memory management unit (181 ) can swap the page from the storage device into the main memory of the computer to facilitate the access to the page identified by the page table entry (153). However, if the permissions (107) deny the current access to the page for the current execution domain, it is not necessary to evaluate the page fault bit and/or to swap in the page corresponding to the page table entry (153).
[0034] In general, the table ID (143) can be divided into multiple fields used to locate the page table (151 ). For example, the table ID (143) can include a top table ID identifying a top-level page table and a top table entry ID that is used as an index into the top-level page table to retrieve a page table entry containing an identifier of the page table (151), in a way similar to the entry ID (145) indexing into the page iable (151) to identify the page tabie entry (153) containing the base (157).
[0035] In general, an entry ID (145) can be considered a virtual page number in the page table (151); and the virtual page number (e.g., 145) can be used in the page tabie (151 ) to look up the page table entry (153) containing the base (157).
[0036] For example, the table ID (143) can include a set of virtual page numbers that can be used to identify a chain of page tables (e.g., 151 ). Each virtual page number is used as an index in a page table (or page directory) to identify the page table entry (or page directory entry) that contains the identity or base of the next level page tabie (or page directory).
[0037] In some instances, different running processes in a computer can have different virtual address spaces (e.g., 127); and the process ID of a running process can be used in determine the top-level page table (or page directory). In some instances, a hash of a portion of the virtual address (141 ), the process ID, and/or an identification of a virtual machine hosted in the computer system can be used to locate the top-level page table (or page directory). In some instances, a hash is used as an index or key to look up a page table entry. Regardless of how the page table entry (153) is located (e.g., via indexing through multiple page tables, via the use of a hash as an index or key), the content of the page table entry (153) can be configured in a way as illustrated in F!G. 3 to provide the permissions (107) for different domains (101 , 103, ... , 105) to access the page/memory region (123) corresponding to the base (157).
[0038] In FIG, 3, the permission Y (107) for a page or region Y (123) is specified in the bottom-level page tabie (151 ), where the page tabie entry (153) in the bottom- level page table (151) provides the base (157) of the physical address (159).
[0039] Alternatively, or in combination, higher-level page tables (or page directories) can also have domain permission data for their page tabie entries (or page directory entries). For example, a page tabie entry (or page directory entry) identifying the page table (151 ) can have domain permission for all of the pages in the page table (151); and thus, the domain permission data in the page table entry is applicable to the memory region defined by the page tabie (151 ). The hierarchy of permissions specified in the chain of page tabie entries leading to the page tabie (151 ) and the permissions (107) in the bottom-level page table entry (153) can be combined via a logic AND operation or a logic OR operation.
[0040] For example, a routine running in a domain (e.g., 101 , 103, ... , 105) can be allowed to access a page identified by the base (157) if ail of the permission bits in the chain of page tabie entries leading to the base (157), including the bottom- level table entry (153), have the value that allows access. Alternatively, a routine running in a domain (e.g., 101 , 103, 105) can be allowed to access a page identified by the base (157) if any of the permission bits in the chain of page table entries leading to the base (157), including the bottom-level tabie entry (153), have the value that allows access.
[0041] For example, a routine running in a domain (e.g., 101 , 103, ... , 105) can be denied of access to a page identified by the base (157) if any of the permission bits in the chain of page table entries leading to the base (157), including the bottom- level tabie entry (153), have the value that denies access. Alternatively, a routine running in a domain (e.g., 101 , 103, ... , 105) can be denied of access to a page identified by the base (157) only when all of the permission bits in the chain of page table entries leading to the base (157), including the bottom-level table entry (153), have the value that denies access.
[0042] For example, when a non-bottom-level page tabie entry (or page directory entry) indicates that the operation is prohibited, the operations to translate from the virtual address (141 ) to the physical address (159) can be interrupted to reject the memory access associated with the virtual address (141 ). In response to the rejection, a trap to the software designated to handle the rejection is used.
[0043] Optionally, the domain permission data (e.g., 107) is specified in the bottom-level page table (151 ) but not in the higher-level page tables (directories).
[0044] FIG. 4 shows a computer system having a page tabie (e.g., 151 ) to implement memory access permissions (e.g., 107) for execution domains (101 , 103, ... , 105).
[0045] The computer system of F!G. 4 has a host system (165) coupled to a memory system (161 ) via one or more buses (163). The memory system (161) has memory components (171 , ... , 173).
[0046] For example, the buses (163) can include a memory bus connecting to one or more memory modules and/or include a peripheral internet connecting to one or more storage devices. Some of the memory components (171 , ... , 173) can provide random access; and the some of the memory components (171 , ... , 173) can provide persistent storage capability. Some of the memory components (171 , ... , 173) can be volatile in that when the power supply to the memory component is disconnected temporarily, the data stored in the memory component will be corrupted and/or erased. Some of the memory components (171 , ... , 173) can be non-vo!atile in that the memory component is capable of retaining content stored therein for an extended period of time without power.
[0047] In general, a memory system (161 ) can also be referred to as a memory device. An example of a memory device is a memory module that is connected to a central processing unit (CPU) via a memory bus. Examples of memory modules include a dual in-line memory module (DIMM), a small outline DIMM (SO-DIMM), a non-volatile dual in-line memory module (NVDIMM), etc. Another example of a memory device is a storage device that is connected to the central processing unit (CPU) via a peripheral interconnect (e.g., an input/output bus, a storage area network). Examples of storage devices include a solid-state drive (SSD), a flash drive, a universal serial bus (USB) flash drive, and a hard disk drive (HDD) in some instances, the memory device is a hybrid memory/storage system that provides both memory functions and storage functions.
[0048] The memory components (171 , ... , 173) can include any combination of the different types of non-volatile memory components and/or volatile memory components. An example of non-volatile memory components includes a negative- and (NAND) type flash memory with one or more arrays of memory cells such as single level cells (SLCs) or multi-level cells (MLCs) (e.g., triple level ceils (TLCs) or quad-level cells (QLCs)). in some instances, a particular memory component can include both an SLC portion and an MLC portion of memory cells. Each of the memory cells can store one or more bits of data (e.g., data blocks) used by the host system (165). Alternatively, or in combination, a memory component (171 , ... , or 173) can include a type of volatile memory in some instances, a memory component (171 , ... , or 173) can include, but is not limited to, random access memory (RAM), read-only memory (ROM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), phase change memory (PCM), magneto random access memory (MRAM), Spin Transfer Torque (STT)-MRAM, ferroelectric random-access memory (FeTRAM), ferroelectric RAM (FeRAM), conductive bridging RAM (CBRAM), resistive random access memory (RRAM), oxide based RRAM (OxRAM), negative-or (NOR) flash memory, electrically erasable programmable read-only memory (EEPROM), nanowire-based non-volatile memory, memory that incorporates memristor technology, and/or a cross-point array of non-volatile memory cells. A cross-point array of non-volatile memory can perform bit storage based on a change of bulk resistance, in conjunction with a stackable cross-gridded data access array. Additionally, in contrast to many flash- based memories, cross-point non-volatile memory can perform a write in-place operation, where a non-volatile memory ceil can be programmed without the non volatile memory ceil being previously erased.
[0049] In general, a host system (185) can utilize a memory system (161 ) as physical memory (109) that includes one or more memory components (171 , ... , 173). The host system (165) can load instructions from the memory system (161 ) for execution, provide data to be stored at the memory system (161 ), and request data to be retrieved from the memory system (161 ).
[00S0] In F!G. 4, the host system (165) includes a memory management unit (MMU) (181 ) and a processor (169). The processor (169) has execution units (e.g., 185), such as an arithmetic-logic unit. The processor (189) has registers (183) to hold instructions for execution, data as operands of instructions, and/or results of instruction executions. The processor (169) can have an internal cache (187) as a proxy of a portion of the memory system (161 ).
[0051] In some instances, the host system (165) can include multiple processors (e.g., 189) integrated on a same silicon die as multiple processing cores of a central processing unit (GPU).
[00S2] Routines programmed for executing in the processor (189) can be initially stored in the memory system (161 ). The routines can include instructions for a hypervisor (102), an operating system (104), and an application (106). The routines stored initially in the memory system (161 ) can be loaded to the internal cache (187) and/or the registers (183) for execution in the execution units (185).
[0053] The running instances of the routines form the executions (167) of the hypervisor (102), the operating system (104), and the application (106). In some instances, a hypervisor (102) is not used; and the operating system (104) controls the hardware components (e.g., the memory system (161 ), peripheral input/output devices, and/or network interface cards) without a hypervisor.
[0054] The executions (167) of the hypervisor (102), the operating system (104), and/or the application (106) access memory (123) (e.g., in memory components (171 , ... , 173)) using virtual memory addresses (e.g., 141 ) defined in one or more virtual memory spaces (e.g., 127). At least one page table (151) (e.g., as illustrated in the FUG. 3) is used to translate the virtual memory addresses (e.g., 141 ) used in the execution to the physical memory addresses (e.g., 159) of the memory components (e.g., 171 , ... , 173).
[0055] As illustrated in FIG, 1 , the executions of the routines of hypervisor (102), the operating system (104), and the application (106) can be organized into a plurality of domains (101 , 103, ... , 105). For each of the execution domains (101 , 103, .... 105) and a memory region (123) identified by a page table entry (153), the page table entry (153) identifies a set (e.g. , 1 1 1 , 1 13, ... , 115) of permission bits (e.g., 131 , 133, ... , 135) for accessing the region (123) in predefined types of operations such as read, write, execution, etc. The permission bits (e.g., 131 , 133, ... , 135) of the corresponding permission set (e.g., 1 1 1 ) controls the memory accesses of the corresponding types from a respective execution domain (e.g., 101).
[0056] FIG. 5 shows a method to control memory access through permissions (107) specified in page table entries (e.g., 153) for execution domains (101 , 103, .... 105).
[0057] For example, the method of FIG. 5 can be performed in a computer system of FIG. 4, using a page table (151 ) of FIG. 3, to provide permission bits (131 , 133, ... , 135) of F!G, 2 for predefined types of memory access operations in a region (123) for respective execution domains (101 , 103, ... , 105) illustrated in FIG. 1.
[0058] At block 201 , a computer system (e.g., illustrated in FIG. 4) receives a request to access a virtual memory address (141) during an execution of a set of instructions.
[0059] For example, the set of instructions can be a routine of a hypervisor (102), an operating system (104), or an application (106). Thus, the execution of the routine can be classified as in one of the set of predetermined domains (101 , 103,
... , 105) illustrated in FIG. 1.
[0060] At block 203, the memory management unit (MMU) (181) (or the processor (169) of the computer system) determines a page table entry (153) in translating the virtual memory address (141) to a physical memory address (159), as illustrated in FIG. 3.
[6061] At block 205, the memory management unit (MMU) (181) (or the processor (169) of the computer system) identifies, among a plurality of predefined domains (101 , 103, ... , 105), an execution domain (e.g., 101 ) that contains the execution of the set of instructions. [0062] For example, memory addresses for loading the instructions of a routine can include an object identifier that determines the domain (e.g., 101 , 103, ... , 105) when the routine is loaded for execution in the processor (169) In other examples, the object identifier is part of the virtual address space and does not specify a domain. In some implementations, the page table entry (153) includes information identifying the domain of routines stored in the memory region (123) identified by the page table entry (153).
[0063] For example, a register (183) of the processor can store the identifier of the domain of a routine while the routine is being executed in the processor (169).
[0064] At block 207, the memory management unit (MMU) (181) (or the processor (169) of the computer system) retrieves, from the page table entry (153), permissions (107) specified for the execution domain (e.g., 101 , 103, ... , or 105).
[006S] For example, the permissions (107) can be stored at a predetermined location in the page table entry (153).
[0066] At block 209, the memory management unit (MMU) (181) (or the processor (169) of the computer system) controls access to the physical memory address (129) based on the permissions (107) specified in the page table entry (153) for the execution domain of the instructions.
[0667] For example, the permissions sets (1 1 1 , 1 13, .... 115) for respective domains (101 , 103, ... , 105) can be stored at predetermined locations within the page table entry (153); and the permissions (131 , 133, ... , or 135) for respective types of memory access operations (e.g , read, write, ... , or execution) for each domain (e.g., 101 , 103, ... , or 105) is stored at predetermined locations within the permission set (e.g., 1 1 1 , 1 13, ... , or 1 15) for a respective execution domain (101 , 103, ... , 105). Thus, based on the execution domain of the instructions and the type of memory access operations (e.g., read, write, ... , or execution), the memory management unit (MMU) (181 ) (or the processor (169) of the computer system) can extract a permission bit (e.g., 131 , 133, ... , 135) and determine whether the memory access operation is permitted according to the extracted permission bit.
[6068] The techniques disclosed herein can be applied to at least to computer systems where processors are separated from memory and processors
communicate with memory and storage devices via communication buses and/or computer networks. Further, the techniques disclosed herein can be applied to computer systems in which processing capabilities are integrated within memory/storage. For example, the processing circuits, including executing units and/or registers of a typical processor, can be implemented within the integrated circuits and/or the integrated circuit packages of memory media to performing processing within a memory device. Thus, a processor (e.g., 101 ) as discussed above and illustrated in the drawings is not necessarily a central processing unit in the von Neumann architecture. The processor can be a unit integrated within memory to overcome the von Neumann bottleneck that limits computing
performance as a result of a limit in throughput caused by latency in data moves between a central processing unit and memory configured separately according to the von Neumann architecture.
[0069] The description and drawings of the present disclosure are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding. However, in certain instances, well known or conventional details are not described in order to avoid obscuring the description. References to one or an embodiment in the present disclosure are not necessarily references to the same embodiment; and, such references mean at least one.
[0070] In the foregoing specification, the disclosure has been described with reference to specific exemplary embodiments thereof. It will be evident that various modifications can be made thereto without departing from the broader spirit and scope as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims

CLA! MS What is claimed is:
1 . A computer system, comprising:
a memory configured to at least store instructions of routines of a predefined set of domains;
a processor coupled with the memory; and
a memory management unit coupled between the processor and the memory, wherein the memory management unit is configured to manage a page table containing a page table entry that includes a permission bit for a type of memory access for each of the domains in the predefined set; wherein the memory management unit is configured to map a virtual memory address to a physical memory address using the page table entry during an execution of a routine that is in a first domain; wherein the memory management unit is further configured to control, in
accordance with a respective permission bit for the first domain, a memory access of the type in response to an instruction of the routine causing the processor to use the virtual memory address to access the physical memory address.
2. The computer system of claim 1 , wherein the page table entry includes a base for a page of physical addresses.
3. The computer system of claim 2, wherein the memory management unit is configured to combine the base and an offset specified in the virtual memory address to generate the physical address.
4. The computer system of claim 3, wherein the predefined set of domains
comprises at least one of a domain for hypervisor, a domain for operating system, or a domain for application, or any combination thereof.
5. The computer system of claim 3, wherein the base provided in the page table entry identifies a region of physical memory.
6. The computer system of claim 5, wherein the page table entry includes a permission bit for routines in the first domain to perform read operations in the region of physical memory.
7. The computer system of claim 5, wherein the page table entry includes a
permission bit for routines in the first domain to perform write operations in the region of physical memory.
8. The computer system of claim 5, wherein the page table entry includes a
permission bit for routines in the first domain to execute instructions loaded from the region of physical memory.
9. The computer system of claim 1 , wherein the virtual memory address includes a plurality of virtual page numbers, including a last virtual page number; and the memory management unit is configured to index into the page table using the last virtual page number to locate the page table entry.
10. The computer system of claim 9, wherein the page table is a last page table; and the memory management unit is further configured to index into a first page table using a first virtual page number in the plurality of virtual page numbers to retrieve a first page table entry that identifies the last page table; and the first page table entry contains permission bits for the predefined set of domains in performing a plurality types of operations in accessing a memory region corresponding to physical addresses defined via the last page table.
1 1. The computer system of claim 9, wherein the memory management unit is configured to control the memory access of the type based at least in part on a permission bit specified in the first page table entry.
12. A method, comprising:
receiving a request to access a virtual memory address during an execution of a set of instructions in a computer processor;
determining a page table entry in translating the virtual memory address to a physical memory address;
identifying, among a plurality of predefined domains, an execution domain that contains the execution of the set of instructions;
retrieving, from the page table entry, a permission bit specified for the execution domain and specified for a type of the request; and controlling the request to access the physical memory address based on the permission bit
13. The method of claim 12, further comprising:
extracting a base from the page table entry;
extracting an offset from a predetermined field of the virtual memory address; and
combining the base and an offset to generate the physical memory address.
14. The method of claim 13, wherein the plurality of predefined domains includes a domain for hypervisor.
15. The method of claim 13, wherein the plurality of predefined domains includes a domain for operating system.
16. The method of claim 13, wherein the base identifies a region of physical memory; and the type of request to access the region of the physical memory is controlled based at least in part on a value of the permission bit.
17. The method of claim 16, wherein the type comprises at least one of read, write, or execution, or any combination thereof.
18. A computing device, comprising:
at least one register;
at least one execution unit; and
a memory management unit configured to manage a page table entry
containing permission bits corresponding to predefined types of memory accesses made by executions of routines in predefined domains;
wherein, in response to a routine executed in the computing device accessing a virtual memory address,
the memory management unit is configured to generate a physical memory address using the page table entry; and
the computing device is configured to determine whether to reject the routing accessing the virtual memory address based on a permission bit corresponding to an execution domain of the routine and a type of memory access made using the virtual memory address
19 The computing device of claim 18, wherein the predefined types of memory accesses comprise read data from virtual addresses, write data to virtual addresses, or execute instructions stored at virtual addresses, or any combination thereof.
20. The computing device of claim 19, wherein the predefined domains comprise at least one of a domain of hypervisor, a domain of operating system, or a domain of application, or any combination thereof.
PCT/US2019/048020 2018-08-30 2019-08-23 Memory access control through permissions specified in page table entries for execution domains WO2020046762A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP19854482.7A EP3844625A4 (en) 2018-08-30 2019-08-23 Memory access control through permissions specified in page table entries for execution domains
CN201980055578.8A CN112602070A (en) 2018-08-30 2019-08-23 Memory access control by permissions specified in page table entries of an execution domain
KR1020217004839A KR20210022141A (en) 2018-08-30 2019-08-23 Memory access control through the permissions specified in the page table entry for the execution domain

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201862724896P 2018-08-30 2018-08-30
US62/724,896 2018-08-30
US16/520,292 2019-07-23
US16/520,292 US10915457B2 (en) 2018-08-30 2019-07-23 Memory access control through permissions specified in page table entries for execution domains

Publications (1)

Publication Number Publication Date
WO2020046762A1 true WO2020046762A1 (en) 2020-03-05

Family

ID=69642263

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/048020 WO2020046762A1 (en) 2018-08-30 2019-08-23 Memory access control through permissions specified in page table entries for execution domains

Country Status (5)

Country Link
US (3) US10915457B2 (en)
EP (1) EP3844625A4 (en)
KR (1) KR20210022141A (en)
CN (1) CN112602070A (en)
WO (1) WO2020046762A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10884952B2 (en) * 2016-09-30 2021-01-05 Intel Corporation Enforcing memory operand types using protection keys
US11914726B2 (en) 2018-08-30 2024-02-27 Micron Technology, Inc. Access control for processor registers based on execution domains
US11500665B2 (en) 2018-08-30 2022-11-15 Micron Technology, Inc. Dynamic configuration of a computer processor based on the presence of a hypervisor
US11182507B2 (en) 2018-08-30 2021-11-23 Micron Technology, Inc. Domain crossing in executing instructions in computer processors
US10942863B2 (en) 2018-08-30 2021-03-09 Micron Technology, Inc. Security configurations in page table entries for execution domains using a sandbox application operation
US10915465B2 (en) 2018-08-30 2021-02-09 Micron Technology, Inc. Memory configured to store predefined set of domain registers for instructions being executed in computer processors
US11481241B2 (en) 2018-08-30 2022-10-25 Micron Technology, Inc. Virtual machine register in a computer processor
US10915457B2 (en) 2018-08-30 2021-02-09 Micron Technology, Inc. Memory access control through permissions specified in page table entries for execution domains

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080244206A1 (en) 2007-03-30 2008-10-02 Samsung Electronics Co., Ltd. Method of controlling memory access
US20120036334A1 (en) * 2010-08-05 2012-02-09 Horman Neil R T Access to shared memory segments by multiple application processes
US20140173169A1 (en) * 2012-12-17 2014-06-19 BaoHong Liu Controlling access to groups of memory pages in a virtualized environment
US20140331019A1 (en) * 2013-05-06 2014-11-06 Microsoft Corporation Instruction set specific execution isolation
US20150100717A1 (en) * 2005-01-14 2015-04-09 Intel Corporation Virtualizing physical memory in a virtual machine system
US20160350019A1 (en) * 2015-05-29 2016-12-01 Intel Corporation Access control for memory protection key architecture

Family Cites Families (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4409655A (en) 1980-04-25 1983-10-11 Data General Corporation Hierarchial memory ring protection system using comparisons of requested and previously accessed addresses
US4386399A (en) 1980-04-25 1983-05-31 Data General Corporation Data processing system
US4821184A (en) 1981-05-22 1989-04-11 Data General Corporation Universal addressing system for a digital data processing system
US4525780A (en) 1981-05-22 1985-06-25 Data General Corporation Data processing system having a memory using object-based information and a protection scheme for determining access rights to such information
US6470436B1 (en) 1998-12-01 2002-10-22 Fast-Chip, Inc. Eliminating memory fragmentation and garbage collection from the process of managing dynamically allocated memory
US7370193B2 (en) 2002-04-27 2008-05-06 Tong Shao Computing system being able to quickly switch between an internal and an external networks and a method thereof
KR100941104B1 (en) 2002-11-18 2010-02-10 에이알엠 리미티드 Apparatus for processing data, method for processing data and computer-readable storage medium storing a computer program
US7594111B2 (en) 2002-12-19 2009-09-22 Massachusetts Institute Of Technology Secure execution of a computer program
US8607299B2 (en) 2004-04-27 2013-12-10 Microsoft Corporation Method and system for enforcing a security policy via a security virtual machine
US8245270B2 (en) 2005-09-01 2012-08-14 Microsoft Corporation Resource based dynamic security authorization
JP2008077144A (en) 2006-09-19 2008-04-03 Ricoh Co Ltd Virtualization system, memory management method and control program
JP4756603B2 (en) 2006-10-10 2011-08-24 ルネサスエレクトロニクス株式会社 Data processor
GB2448151B (en) 2007-04-03 2011-05-04 Advanced Risc Mach Ltd Memory domain based security control within data processing systems
US8051263B2 (en) 2007-05-04 2011-11-01 Atmel Corporation Configurable memory protection
US8375195B2 (en) 2009-03-05 2013-02-12 Oracle America, Inc. Accessing memory locations for paged memory objects in an object-addressed memory system
US8190839B2 (en) 2009-03-11 2012-05-29 Applied Micro Circuits Corporation Using domains for physical address management in a multiprocessor system
US8601473B1 (en) 2011-08-10 2013-12-03 Nutanix, Inc. Architecture for managing I/O and storage for a virtualization environment
WO2013082437A1 (en) 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
WO2013174503A1 (en) 2012-05-21 2013-11-28 Eth Zurich Secure loader
US9436616B2 (en) * 2013-05-06 2016-09-06 Qualcomm Incorporated Multi-core page table sets of attribute fields
US10489309B2 (en) 2014-10-21 2019-11-26 Intel Corporation Memory protection key architecture with independent user and supervisor domains
CN112214424B (en) 2015-01-20 2024-04-05 乌尔特拉塔有限责任公司 Object memory architecture, processing node, memory object storage and management method
US9405515B1 (en) 2015-02-04 2016-08-02 Rockwell Collins, Inc. Computing systems utilizing controlled dynamic libraries and isolated execution spaces
US20160381050A1 (en) 2015-06-26 2016-12-29 Intel Corporation Processors, methods, systems, and instructions to protect shadow stacks
US20170060783A1 (en) 2015-09-01 2017-03-02 Mediatek Inc. Apparatus for performing secure memory allocation control in an electronic device, and associated method
US9852084B1 (en) 2016-02-05 2017-12-26 Apple Inc. Access permissions modification
US20180004681A1 (en) * 2016-07-02 2018-01-04 Intel Corporation Systems, Apparatuses, and Methods for Platform Security
US10255202B2 (en) 2016-09-30 2019-04-09 Intel Corporation Multi-tenant encryption for storage class memory
US10884952B2 (en) 2016-09-30 2021-01-05 Intel Corporation Enforcing memory operand types using protection keys
US10346625B2 (en) 2016-10-31 2019-07-09 International Business Machines Corporation Automated mechanism to analyze elevated authority usage and capability
US20180121125A1 (en) * 2016-11-01 2018-05-03 Qualcomm Incorporated Method and apparatus for managing resource access control hardware in a system-on-chip device
US11055401B2 (en) 2017-09-29 2021-07-06 Intel Corporation Technologies for untrusted code execution with processor sandbox support
US10942863B2 (en) 2018-08-30 2021-03-09 Micron Technology, Inc. Security configurations in page table entries for execution domains using a sandbox application operation
US10915465B2 (en) 2018-08-30 2021-02-09 Micron Technology, Inc. Memory configured to store predefined set of domain registers for instructions being executed in computer processors
US11182507B2 (en) 2018-08-30 2021-11-23 Micron Technology, Inc. Domain crossing in executing instructions in computer processors
US11500665B2 (en) 2018-08-30 2022-11-15 Micron Technology, Inc. Dynamic configuration of a computer processor based on the presence of a hypervisor
US20200073822A1 (en) 2018-08-30 2020-03-05 Micron Technology, Inc. Security Configuration for Memory Address Translation from Object Specific Virtual Address Spaces to a Physical Address Space
US11914726B2 (en) 2018-08-30 2024-02-27 Micron Technology, Inc. Access control for processor registers based on execution domains
US10915457B2 (en) 2018-08-30 2021-02-09 Micron Technology, Inc. Memory access control through permissions specified in page table entries for execution domains
US11481241B2 (en) 2018-08-30 2022-10-25 Micron Technology, Inc. Virtual machine register in a computer processor

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150100717A1 (en) * 2005-01-14 2015-04-09 Intel Corporation Virtualizing physical memory in a virtual machine system
US20080244206A1 (en) 2007-03-30 2008-10-02 Samsung Electronics Co., Ltd. Method of controlling memory access
US20120036334A1 (en) * 2010-08-05 2012-02-09 Horman Neil R T Access to shared memory segments by multiple application processes
US20140173169A1 (en) * 2012-12-17 2014-06-19 BaoHong Liu Controlling access to groups of memory pages in a virtualized environment
US20140331019A1 (en) * 2013-05-06 2014-11-06 Microsoft Corporation Instruction set specific execution isolation
US20160350019A1 (en) * 2015-05-29 2016-12-01 Intel Corporation Access control for memory protection key architecture

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LLUIS VILANOVA ET AL.: "computer architecture", 14 June 2014, IEEE PRESS, article "CODOMs", pages: 469 - 480
See also references of EP3844625A4

Also Published As

Publication number Publication date
US20200073820A1 (en) 2020-03-05
CN112602070A (en) 2021-04-02
US20220414019A1 (en) 2022-12-29
US10915457B2 (en) 2021-02-09
US11436156B2 (en) 2022-09-06
KR20210022141A (en) 2021-03-02
EP3844625A1 (en) 2021-07-07
EP3844625A4 (en) 2022-05-11
US20210149817A1 (en) 2021-05-20

Similar Documents

Publication Publication Date Title
US11620239B2 (en) Domain register for instructions being executed in computer processors
US11481241B2 (en) Virtual machine register in a computer processor
US11182507B2 (en) Domain crossing in executing instructions in computer processors
US10915457B2 (en) Memory access control through permissions specified in page table entries for execution domains
US11500665B2 (en) Dynamic configuration of a computer processor based on the presence of a hypervisor
US12056057B2 (en) Security configurations in page table entries for execution domains
US11914726B2 (en) Access control for processor registers based on execution domains
US20200073822A1 (en) Security Configuration for Memory Address Translation from Object Specific Virtual Address Spaces to a Physical Address Space

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19854482

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20217004839

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019854482

Country of ref document: EP

Effective date: 20210330